Data Processing Agreement

Last updated: September 15, 2025

This Data Processing Agreement ("DPA") governs how Live Summer, Inc. ("Provider") processes personal data on behalf of customers who use SummerOS services under the main Terms and Conditions agreement.

1. Definitions

  • Personal Data: Information defined as personal data under applicable Data Protection Laws.
  • Data Protection Laws: Applicable laws including CPRA, VCDPA, CPA, CDPA, UCPA, GDPR, and other EU/UK regulations.
  • Data Subject Request: Requests from individuals exercising rights under data protection regulations.
  • Security Incident: Any unauthorized disclosure or breach of personal data.
  • Authorized Persons: Provider employees and contractors with legitimate access needs.

2. Party Roles and Responsibilities

Provider's Role

Provider acts as a data processor, handling personal data solely as instructed by the customer for service delivery purposes. Provider commits to:

  • Processing data only for specified purposes in the service agreement
  • Maintaining confidentiality and not sharing data without authorization
  • Assisting customers with data protection compliance obligations

Customer Representations

Customers warrant that they have:

  • Complied with all applicable data protection laws
  • Obtained necessary consents from data subjects
  • Provided only accurate, lawfully obtained data
  • Excluded sensitive information including SSNs, health data, biometric information, payment card details, and children's data

3. Data Security and Incident Response

Provider implements appropriate technical and organizational measures to protect personal data. Upon discovering a security incident, Provider must:

  • Notify customers without undue delay per applicable legal requirements
  • Take prompt steps to contain and investigate any breach

Notification of a security incident does not constitute an admission of fault or liability.

4. Sub-Processors

Provider may engage third-party sub-processors. The current list of sub-processors is available at summeros.com/legal/sub-processors. Customers may:

  • Review the current sub-processor list at any time
  • Object to the addition of specific sub-processors
  • Terminate services if an objection cannot be resolved

Provider ensures all sub-processors maintain equivalent data protections through written contracts.

5. Data Subject Rights

Provider will inform customers of data subject requests and take reasonable measures to enable compliance with individual rights under applicable data protection laws, including:

  • Right to access information
  • Right to data portability
  • Right to deletion or erasure
  • Right to correct inaccurate data

6. International Data Transfers

International data transfers require agreement between parties using legally compliant transfer mechanisms. If applicable regulations change and affect transfer validity, both parties commit to updating agreements to maintain compliance.

7. Audit and Records

Customers may audit Provider's compliance with this DPA no more than once per year at no additional cost. Provider maintains records sufficient to demonstrate compliance with this DPA.

8. Data Retention and Deletion

Upon termination of the service agreement, Provider will delete or return personal data per the customer's election, except where legal retention requirements mandate otherwise or the service agreement specifies different treatment.

9. Cooperation with Authorities

Provider will notify customers of any regulatory inquiries concerning personal data processing within a reasonable timeframe, unless prohibited by law. Provider will assist with data protection impact assessments and regulatory consultations as reasonably needed.

10. Liability

The liability limitations set forth in the main Terms of Use apply to this DPA, except that those limitations do not limit a party's liability for that party's own violations of this DPA.

Attachment A: Processing Details

  • Data Subjects: Customer data subjects
  • Subject Matter: Personal data identified in the Agreement
  • Duration: Length of the service agreement term
  • Nature and Purpose: Processing necessary to provide contracted services
  • Data Types: Personal data only (no special categories without prior written approval)

Contact

Questions regarding this Data Processing Agreement should be directed to legal@gosummer.com.